SOLVED: shorewall blocks apt-get

To: "debian users" <debian-user@lists.debian.org>
Subject: SOLVED: shorewall blocks apt-get
From: "Benedict Verheyen" <linux4bene@pandora.be>
Date: Sun, 3 Nov 2002 03:02:34 +0100
Message-id: <[🔎] 000a01c282dd$138d3600$0f00a8c0@camelot>
References: <[🔎] 000e01c282b4$d4b12ae0$0f00a8c0@camelot> <[🔎] 9218.216.39.174.24.1036273049.squirrel@webmail.linuxpowered.net> <[🔎] 003901c282d8$e10d7ea0$0f00a8c0@camelot>

> > 1) run an internal DNS behind the firewall, and direct all queries at
> > that system, punch a hole through the firewall to allow that system
> > through. I do this on my network, I have a bridged freebsd box
> > which has a default ipfw policy of deny, then I told BIND to only
> > use UDP port 53 for all actions(makes it firewall-friendly), and
> > opened a hole in the firewall to allow requests to go to UDP/53
> > on my nameserver. You shouldn't need to allow incoming requests
> > just outgoing, since my server is authortative for about 45 domains
> > I need to allow incoming as well.
> > 2) Try running all of your DNS requests over TCP, using the
> > 'host' command you can do this, I am not aware of any way to get
> > the system to default to this.
> > 3) point to your proxy using it's IP address not the domain name
> > so it doesn't have to resolve anything. Many proxy servers handle
> > all DNS resolution as well, so if your using a proxy your system
> > doesn't need to know what debian.org or whatever resolves to.
> > 
> > 
> > #3 is the best interim solution, if you run a network, the best
> > long term solution is #1, that way you have both DNS and a DNS
> > cache on your internal network.
> > 
> > nate
> 
> I've specified some rules in shorewall to allow me acces to port
> 53 with tcp and udp. It still doesn't work.
> As for #3, i don't know what the ip is of this proxy so
> i won't be able to use this. I think sollution on is going to be what
> i need. Seems a bit overkill though for what i want to do.
> 
> Another sollution is to temporarily shutdown the firewall but i
> do not want to do this.

After the comments Nate made i rechecked my rules file from
shorewall and it dawned to me that i could try to add a rule
for the 8080 port so i added:
ACCEPT      fw     net     tcp     8080 and it worked!
(dumb*ss me for not realizing this sooner)

For completeness, the 2 rules i had already added and are also
necessary to make it work are:
ACCEPT      fw     net     tcp     53
ACCEPT      fw     net     udp    53

Ha, now my little apt friend works again :)
Also, thanks again Nate to help me solve this.

As you can see, i still need to learn a lot when it comes to 
firewall configuration and to think that shorewal hides already
a lot of the iptable stuff...

Reply to:

References:
- shorewall blocks apt-get
  - From: "Benedict Verheyen" <linux4bene@pandora.be>
- Re: shorewall blocks apt-get
  - From: "nate" <debian-user@aphroland.org>
- Re: shorewall blocks apt-get
  - From: "Benedict Verheyen" <linux4bene@pandora.be>

Prev by Date: Making a java 1.4.1 deb
Next by Date: Re: Making a java 1.4.1 deb
Previous by thread: Re: shorewall blocks apt-get
Next by thread: gnome-terminal depends on docbookxml, sgml-date, etc.
Index(es):
- Date
- Thread